1. General Provisions C&R Research Co., Ltd. (hereinafter referred to as the "Company") actively protects the personal information of customers (including non-registered users) collected and processed through offline channels or the Company’s website, and complies with all applicable laws and regulations, including the Personal Information Protection Act. The Company’s Privacy Policy may be modified in accordance with relevant laws, guidelines, and internal operational policies. In the event of any changes to the Privacy Policy, the Company will notify customers individually or announce the changes on its website. 2. Methods of Collecting Personal Information and Purpose of Collection and Use a. Methods of Collection The Company collects only the minimum necessary personal information through collection function on the Company’s website in order to provide the services requested by customers. b. Purpose of Collection and Use To provide clinical trial outsourcing services tailored to the needs of customers. The Business Development Team of C&R Research not only provides quotations for clinical trial-related outsourcing based on customer requests but also actively proposes project designs and budgets that take into account the number of subjects, even prior to contract execution, utilizing the expertise of its specialized staff. To recommend appropriate investigators by considering market conditions and the characteristics of researchers, and to ensure satisfactory and efficient project execution through continuous customer management even after contract signing. To help customers achieve optimal outcomes in terms of cost, timeline, and quality, as a partner in new drug development. 3. Items of Personal Information Processed and Retention Period The personal information of customers that the Company processes for the purposes described in Article 2, along with the corresponding retention periods, are as follows: C&R Research Website (http://www.cnrres.com/ ): Name, Contact information, Email address, Company name, Department name, Job title/position, Service items, Inquiry details, Cookies (Retention Period: Three (3) months after the deletion of customer registration.) 4. Retention Period and Destruction of Personal Information a. Retention Period of Personal Information Customer personal information will be destroyed without delay once the purpose of processing has been achieved or the retention period has expired. However, where the retention of such information is required under other applicable laws and regulations, the Company may retain the personal information even after the retention period has expired. The primary retention periods are as follows: Commercial books and important documents related to business operations: Basis: Commercial Act | Retention period: 10 years Books and supporting documents related to transactions, tax invoices, or receipts: Basis: Framework Act on National Taxes, Corporate Tax Act, VAT Act | Retention period: 5 years Records related to contracts, withdrawals, payments, and supply of goods: Basis: Act on the Consumer Protection in Electronic Commerce | Retention period: 5 years b. Personal Information Validity Period System The company will not take measures to separate the database or notify customers 30 days in advance of their accounts being converted to dormant status for customers who have not used the service for one year, in accordance with the revised Personal Information Protection Act (revised on March 14, 2023) that came into effect on September 15, 2023. c. Procedures and Methods of Personal Information Destruction Destruction Procedures: Personal information for which the retention period has expired is selected and destroyed upon approval from the Personal Information Protection Officer. Destruction Methods: Electronic data: Destroyed in a way that prevents recovery. Paper documents: Shredded or incinerated. 5. Outsourcing of Personal Information Processing a. Current Status of Outsourced Personal Information Processing UL Design Co., Ltd.: Website maintenance company b. Notification to Customers When entrusting business related to promoting goods or services or soliciting sales, the Company will obtain consent or notify the status of the entrusted business by written notice, email, fax, telephone, text message, or other equivalent methods. c. Outsourcing Agreements The Company clearly stipulates in its outsourcing agreements the obligations to comply with personal information protection laws and regulations, the prohibition of third-party provision of personal information, and the allocation of responsibilities. Any changes will be disclosed through this Privacy Policy. 6. Rights and Obligations of Data Subjects and Methods of Exercise a. Requests for Access and Suspension of Processing Customers may request access to, or suspension of the processing of, their personal information. However, the Company may deny such requests in the following cases: Where required to comply with laws Where it may harm others or unjustly infringe on rights Where the service cannot be provided without processing, and the customer has not clearly stated their intent to terminate the contract b. Requests for Correction and Deletion Customers may request correction or deletion of errors in their personal information, except where the data is required by law to be retained. The Company will not use the data until corrections are made and will correct any errors discovered without delay. c. Methods of Exercise These rights may be exercised by the data subject or through an authorized representative by submitting a power of attorney (as per the relevant form in the Enforcement Rule of the Personal Information Protection Act). For requests, refer to Article 10. 7. Measures to Ensure Security a. Administrative Measures Designation of a Personal Information Protection Officer and implementation of internal management plans Training for employees and contractors Regular internal audits b. Technical Measures Access control and restriction Logging and storage of access records Use of firewalls and secure access methods (e.g., VPNs) Password policy enforcement Encryption of sensitive information Regular software updates Secure storage of access records c. Physical Measures Access control and locking mechanisms are in place to prevent unauthorized physical access to personal information. 8. Restrictions on the Transmission of Advertising Information The company does not transmit advertising information for commercial purposes against the explicit refusal of customers. Any advertising communication via electronic means (email, SMS, etc.) will comply with relevant laws. Upon a customer’s opt-out request, advertising transmission will cease immediately, and the customer will be notified. Preferences will also be periodically reconfirmed. 9. Remedies for Infringement of Rights a. Remedies for Personal Information Infringement If the Company becomes aware of personal information misuse, it will suspend use or delete the relevant account. Immediate action will also be taken if a victim requests such. Customers may also contact the following organizations for help: Personal Information Infringement Report Center (KISA) Website: http://privacy.kisa.or.kr Phone: 118 Address: 3rd Floor, 9 Jinheung-gil, Naju-si, Jeollanam-do, Republic of Korea (Postal Code: 58324) Personal Information Dispute Mediation Committee Website: https://www.kopico.go.kr Phone: 1833-6972 Address: 4th Floor, Government Complex Seoul, 209 Sejong-daero, Jongno-gu, Seoul (03171) Cyber Bureau, Korean National Police Agency Website: https://cyberbureau.police.go.kr Phone: 182 Cybercrime Investigation Department, Supreme Prosecutors’ Office Website: https://cybercid.spo.go.kr Phone: 1301 b. Personal Information Protection Officer Name: Jin-Hee Hwang, Executive Director Phone: +82-2-6251-1500 Email: cnrres@cnrres.com 10. Automatically Collected Information such as Internet Access Files Cookies are small pieces of information stored on a user’s device to enhance website usability. The Company uses cookies to provide personalized services and does not use them for commercial purposes. Users may refuse cookies through browser settings, though doing so may affect service availability. Example (Internet Explorer): Tools → Internet Options → Privacy 11. Changes to the Privacy Policy This Privacy Policy is effective as of May 1, 2024. If changes are made, the Company will announce the date of revision and clearly disclose both the old and new content for comparison.